Information Assurance and Security 1

Questions and Answers

What is produced at the end of the project feasibility phase?

Maintenance Schedule

Project Design Document

Feasibility Report (correct)

Testing Plan

What is included in the Software Requirement Specification (SRS) document?

Resource Allocation

Network Requirements (correct)

Marketing Strategies

User Feedback

During the system design phase, what major document is created?

Design Document (correct)

Implementation Report

Test Report

User Manual

Which activity is performed during the implementation phase?

Translating SRS into Source Code

What is NOT a focus of the maintenance/support phase?

Gathering Initial User Feedback

Which of the following best describes the purpose of the contingency plan created during system design?

To address potential system failures

What key task is included in the test plan during the implementation phase?

Test Case Generation

At which phase is the evaluation and prioritization of system requirements performed?

Analysis and Specification

What are the primary objectives of Information Security (InfoSec)?

Confidentiality, integrity, and availability

Which of the following is NOT a phase in the Systems Development Life Cycle (SDLC)?

Evaluation

What do analysts primarily use the Systems Development Life Cycle (SDLC) for?

To develop an information system

What is included in the phases of the Systems Development Life Cycle being systematically approached?

Breaking down work into necessary phases

Which activity is typically part of the Systems Development Life Cycle?

Requirements gathering

In the SDLC, what does the 'Planning' phase involve?

Defining the problem and scope of the existing system

Which of the following best describes the purpose of a feasibility study in the SDLC?

To define the problem and overview the new system's objectives

Which of the following activities is not part of the Systems Development Life Cycle?

User experience analysis

What is the primary focus during the physical design phase of information assurance and security?

Acquiring the necessary security technology

What occurs after the security solutions are approved during the implementation stage?

The solutions are documented and integrated

Which organization is known for certifying information security professionals globally?

(ISC)2

What is the role of ISACA in the field of information assurance and security?

Setting standards for information governance and audit

What factor makes security a critical area for continued investment by companies?

The risk of financial loss from breaches

During which phase do teams analyze alternative solutions for unforeseen issues?

Physical design

What does the acronym AITP stand for?

Association of Information Technology Professionals

What is a significant aspect of the implementation phase?

Testing security solutions to meet requirements

What values are described by the organization mentioned in the content?

Integrity, respect, innovation, service

What is the primary focus of ITIL?

Managing information technology infrastructure

Which of the following organizations requires nominations for membership?

FIRST

In which year was the SANS Institute established?

1989

What type of support does ISSA provide to cyber security professionals?

Networking and professional growth opportunities

Which certification management is associated with ITIL?

EXIN and ISEB

What types of resources does the SANS Institute offer apart from courses?

Blogs, papers, webcasts, and newsletters

What is a notable aspect of FIRST?

It has strict membership compliance rules.

What is the primary focus of the Center for Internet Security (CIS)?

Offering solutions for corporate entities

Which of the following describes a necessary condition for retaining membership in an organization mentioned?

Following the organization's code of ethics

What aspect of cyber security is emphasized as critical for organizations?

Investing in the right service provider

What is highlighted as a benefit of having a scalable and customized cyber security model?

Disaster-recovery capabilities

Which tool is listed as optional for the Systems Development Life Cycle (SDLC) process?

Cellphone

What is one of the tasks suggested to illustrate the SDLC concept?

Develop a graphical flow to evaluate the SDLC

According to the content, what is a potential consequence of failing to implement proper security measures?

Loss of billions of dollars

What concept is suggested for applying the Systems Development Life Cycle to an industry?

A specific industry's best practices

Study Notes

### Information Assurance and Security 1

• The main objectives of Information Security (InfoSec) are to ensure confidentiality, integrity, and availability of company information.
• InfoSec covers many areas, including application security, infrastructure security, cryptography, incident response, and vulnerability management.
• An effective System Development Life Cycle (SDLC) should result in a high-quality system that meets customer expectations, is completed within time and cost evaluations, and works effectively and efficiently in the current and planned Information Technology infrastructure.
• The Systems Development Life Cycle (SDLC) is a conceptual model that includes policies and procedures for developing or altering systems throughout their life cycles.
• The SDLC is used by analysts to develop an information system and includes the following activities:
  • Requirements
  • Design
  • Implementation
  • Testing
  • Deployment
  • Operations
  • Maintenance

Phases of SDLC

• The SDLC is a systematic approach to implementing new or modified Information Systems.
• The SDLC process explicitly breaks down the work into distinct phases.

Feasibility Study or Planning

• Defines the problem and scope of the existing system.
• Overviews the new system and determines its objective.
• Confirms project feasibility and produces the project schedule.
• Considers system threats, constraints, integration, and security.
• Creates a feasibility report for the entire project.

Analysis and Specification

• Gathers, analyzes, and validates information.
• Defines the requirements and prototypes for the new system.
• Evaluates alternatives and prioritizes requirements.
• Examines the information needs of end-users and enhances the system goal.
• Creates a Software Requirement Specification (SRS) document, which specifies the software, hardware, functional, and network requirements of the system. ### System Design
• Includes the design of applications, networks, databases, user interfaces, and system interfaces.
• Transforms the SRS document into a logical structure, which contains detailed and complete specifications that can be implemented in a programming language.
• Creates a contingency, training, maintenance, and operation plan.
• Reviews the proposed design to ensure it meets the requirements stated in the SRS document.
• Creates a design document that will be used in the next phases.

Implementation

• Implements the design into source code through coding.
• Combines all modules into a training environment that detects errors and defects.
• Prepares a test report containing errors through a test plan that includes test-related tasks such as test case generation, testing criteria, and resource allocation for testing.
• Integrates the information system into its environment.
• Installs the new system.

Maintenance/Support

• Includes all activities such as phone support or physical on-site support for users that is required once the system is installed.
• Implements changes that software might undergo over time, or implements any new requirements after the software is deployed at the customer location.
• Handles residual errors and resolves any issues in the system even after the testing phase.

Physical Design

• The point at which the technical teams move into action.
• Evaluates and acquires the information security technology that will be needed for the implementation of all blueprints and analysis detailed during the logical design phase.
• Analyzes and maps out alternative solutions investigated for any unforeseen issues that may arise.
• All different teams issue their stamp of approval on all processes, and the green light is given to proceed.

Implementation

• Acquires the security solution decided and approved (either built in-house or outsourced).
• Provides adequate documentation on product specifications to ensure project specifications are met.
• Rolls out the implementation and integration processes, with various teams carrying out intensive testing to ensure solutions meet the requirements outlined in the various blueprints and policies.

Information Security Organizations

• Security is an area that can make or break a company.
• Keeping sensitive digital information private and protecting technical systems from viruses and hackers is critical.
• Because of this, it is one of the few specialty areas within information technology where companies will continue to invest money even in an economic downturn.

(ISC)2 (International Information Systems Security Certification Consortium)

• A highly regarded, global, not-for-profit leader in educating and certifying information security professionals.

ISACA (Information Systems Audit and Control Association)

• A global professional organization for information governance, control, security, and audit professionals.
• The standards set by ISACA are followed worldwide.
• ISACA offers several professional certifications, industry publications, and conferences.

AITP (Association of Information Technology Professionals)

• A society for IT professionals worldwide.
• AITP features webinars, conferences, local chapters, awards for professionals and students, a career center with a jobs board, and plenty of networking options.
• Their core values are integrity, respect, innovation, and service.
  • Founded in 1961 as NMAA (an association for accountants), it evolved into DPMA (for data processing professionals) before taking its current form in 1996.
• AITP has over 4500 members nationwide.

ITIL (Information Technology Infrastructure Library)

• A set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.
• ITIL certifications are managed by the ITIL Certification Management Board (ICMB), which is composed of the OGC, IT Service Management Forum International, and two examinations institutes: EXIN (based in the Netherlands) and ISEB (based in the UK).

Forum of Incident Response and Security Teams (FIRST)

• A forum that allows information security incident response teams to share their experiences, tips, and information.
• The organization holds technical colloquia, sponsors meetings and conferences, and features mailing lists and Web repositories where teams can share information and other resources.
• Members must be nominated by an existing member and have a sponsor perform a site visit.
• Once accepted, the organization requires members to comply with rules and bylaws and retains the power to revoke membership if members do not cooperate.

The SANS Institute

• Described as the "most trusted" source for information security training worldwide.
• Offers courses and certifications in a wide variety of security-related niches.
• Established in 1989.
• Its programs have educated thousands of people (currently over 12,000 a year) since then.
• Founded initially as a research organization, SANS offers many kinds of educational resources for security professionals beyond courses, including blogs, papers, webcasts, and newsletters.

ISSA (Information Systems Security Association)

• This nonprofit association focuses on providing networking and professional growth options for cybersecurity professionals worldwide.
• They host conferences, organize local chapters and committees, and distribute information through newsletters and a monthly journal.
• Members must follow the ISSA code of ethics to retain their affiliated status.

CIS (Center for Internet Security)

• Delivers solutions and information for security-related needs.
• Caters more to corporate entities (in both the public and private sectors) than to individuals.
• The organization provides resources for training and workforce development, compiles reports and case studies on industry topics, and offers various products and services (many of which are free or steeply discounted).

Information Assurance and Security 1 continued

• Information is a critical part of any organization, and investing in the right service provider keeps your business in safe hands in the ever-expanding Internet of Things (IoT) world.
• A scalable and customized cybersecurity-driven business model includes disaster-recovery capabilities and secures data and the underlying infrastructure of the organization, thus building a safe barrier for the information even before it is attacked and saving the organization from a loss of billions of dollars that could result from the security threat.

Description

This quiz explores the core concepts of Information Security, focusing on its primary objectives: confidentiality, integrity, and availability. It delves into essential topics such as the System Development Life Cycle (SDLC) and various aspects of information security like application and infrastructure security.